French Data Protection Act: What’s New?


The new version of the French Data Protection Act (law n ° 2018-493 of June 20, 2018) was adopted on June 20, 2018. The first version (entered into force on January 6, 1978) was modified twice: in 2004 following the transposition of Directive 95/46 on the protection of personal data, and in 2016 following the French digital republic law. The latest version was adopted following  the General data protection Regulation 2016/679 on the protection of data (GDPR). The GDPR was adopted in May 2016 and implemented on May 25, 2018. The GDPR is directly applicable to all the EU member states. The new French Data Protection Act facilitates an effective application of the RGPD and the directive (UE) 2016/680. The new version is composed of 72 articles and includes the changes made to the previous French Data Protection Act. The GDPR replaces the national law in some areas like rights of data subjects, legal bases of the treatments, security measures, transfers, etc..

In other areas, the new French Data Protection Act integrates the GDPR. It applies to health data, criminal convictions and offense records, data processing for journalistic purposes, etc. Moreover, the GDPR includes 56 references to national laws of the EU member states. Thus, Data Protection legal framework is a mixed legal framework composed of national and European laws.

To reinforce the legibility of the composite legal framework, a Government Ordinance was adopted to add more details to the French Data Protection Act within six months. A new decree implementing the Data Protection Act is also expected to be adopted in the coming weeks. In the meantime, it is recommended by the French Data Protection Authority (CNIL) to pay particular attention to the legal framework applicable in each processing.